SQL Injection Vulnerability?

8 posts, 0 answers
  1. Chris
    Chris avatar
    11 posts
    Member since:
    Feb 2009

    Posted 15 Jul 2010 Link to this post

    Correct me if I'm wrong, but It seems that using the RadFilterSqlQueryProvider to generate a SQL where clause, which is then used in a query that gets executed against your database, is extremely vulnerable to SQL injection attacks.  A user could type an entire SQL statement into a filter field editor, and the RadFilterSqlQueryProvider will simply inject that directly into the where clause verbatim.

    If this is true, is there any way to protect against this? Is the only alternative to create your own QueryProvider to generate a parameterized query instead?

    Thanks,

    Chris
  2. Nikolay Rusev
    Admin
    Nikolay Rusev avatar
    2285 posts

    Posted 15 Jul 2010 Link to this post

    Hello Chris,

    RadFilter does not directly apply the values from UI to DB. The values are firstly parsed to proper data type and secondly there are certain symbols that are escaped in order to prevent from SQL injections.

    Regards,
    Nikolay
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Chris
    Chris avatar
    11 posts
    Member since:
    Feb 2009

    Posted 18 Jul 2010 Link to this post

    Thanks for the response.  It's good to know that RadFilter has measures to combat SQL injection when interacting directly with other controls like RadGrid.  However, I was more concerned about cases when you do want to leverage the generated SQL in your own code, which I assume is the whole point of RadFilterSqlQueryProvider as well as the other query provider variants. 

    It would be nice to have an option to tell the RadFilterSqlQueryProvider to generate a parameterized query, which you could then use in conjunction with the actual values that you've stored seperately. Using the queries genered from these providers as-is is a huge security threat, because they do nothing to combat SQL injection.

    Thanks!

    Chris
  5. Nikolay Rusev
    Admin
    Nikolay Rusev avatar
    2285 posts

    Posted 22 Jul 2010 Link to this post

    Hello Chris,

    The main purpose of this providers is to be used against filterable controls/datasource controls(in .net 3.*/4.0), not to build any kind of SQL statements. 

    You can build SQL on your own by iterating the expressions of RadFilter or by extending RadFilterSqlQueryProvider and overriding PrepareQuery( as argument this method receive the expressions for which SQL must be generated).

    Greetings,
    Nikolay
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  6. tiffany
    tiffany avatar
    3 posts
    Member since:
    Jan 2011

    Posted 11 Oct 2011 Link to this post

    Hi,

    Does RadGrid without using RadFilter also prevent SQL Injections Attack?

    Thanks,
    Tiffany
  7. Radoslav
    Admin
    Radoslav avatar
    1564 posts

    Posted 14 Oct 2011 Link to this post

    Hi Tiffany,

    The RadGrid does not directly inserts or updates values into the database. Depending on the used data binding inserted or updated values are passes to the database via Databound controls or manually by code into the code behind. In the first case to avoid the injections you need to populate the UpdateParameters and InsertParameters collections of the data source. Example of this approach you could find on the following link:
    http://demos.telerik.com/aspnet-ajax/grid/examples/dataediting/alleditablecolumns/defaultcs.aspx
    In this case the responsibility for inserting and updating values has a data bound control and it will parse and escape the values.

    In the second approach the responsibility for preventing SQL injection has the developer. In this case the suggested approach is to use parameterized queries or a stored procedure.

    Additionally please check out the following online example which demonstrates how to perform CRUD operation with the RadGrid:
    http://demos.telerik.com/aspnet-ajax/grid/examples/dataediting/entityframeworkcrud/defaultcs.aspx
    http://demos.telerik.com/aspnet-ajax/grid/examples/dataediting/programaticlinqupdates/defaultcs.aspx

    I hope this helps.

    Kind regards,
    Radoslav
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now
  8. DeveloperX
    DeveloperX avatar
    19 posts
    Member since:
    Apr 2004

    Posted 23 Mar 2012 Link to this post

    How do we get what value they entered in the expression, when overriding PrepareQuery?
  9. Radoslav
    Admin
    Radoslav avatar
    1564 posts

    Posted 27 Mar 2012 Link to this post

    Hi Tyrone,

    You could get the entered values into the PrepareQuery by casting the expression parameter to IRadFilterValueExpression and using its Values property. Also you could get the entire where clause into the ProcessGroup method or into the RadFilter.ApplyExpressions event:
    public class MyRadFilterSqlQueryProvider: RadFilterSqlQueryProvider
    {
        public override void ProcessGroup(RadFilterGroupExpression rootGroup)
        {
            base.ProcessGroup(rootGroup);
            var whereClause = this.Result;
        }
     
        protected override string PrepareQuery(RadFilterNonGroupExpression expression)
        {
    var values = ((IRadFilterValueExpression)expression).Values;
     
            return base.PrepareQuery(expression);
        }
    }
    protected void RadFilter1_ApplyExpressions(object sender, RadFilterApplyExpressionsEventArgs e)
      {
          MyRadFilterSqlQueryProvider provider = new MyRadFilterSqlQueryProvider();
          provider.ProcessGroup(e.ExpressionRoot);
          Log.Text = provider.Result;
      }

    I hope this helps.

    Kind regards,
    Radoslav
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Back to Top
UI for ASP.NET Ajax is Ready for VS 2017